AI Agent Delegation via MCP Has Gaps a Murderbot Could Walk Through

The Model Context Protocol (MCP) promises a unified language for AI agents to exchange data and intent, accelerating cross‑service automation. Yet the open standard also creates a broader attack surface, as agents can carry context from one system to another without clear provenance. Security professionals are therefore grappling with how to enforce zero‑trust principles when the very fabric of AI communication is designed for fluidity. The challenge lies in distinguishing legitimate delegation from malicious exploitation, especially as enterprises adopt increasingly autonomous agents for critical workflows.

Michael Schwartz’s presentation highlighted a fundamental flaw in the conventional zero‑trust model: a single MCP gateway cannot guarantee that downstream services honor the same security posture. He proposed a decentralized Governor Module—a lightweight policy engine embedded within each service—that continuously evaluates requests against dynamic, context‑aware rules. By leveraging Cedar, an open‑source policy language, organizations can write policies that factor in data‑ownership agreements, regulatory constraints, and real‑time risk signals. This shift from role‑based access control to policy‑driven authorization enables granular decisions that adapt as the agent’s network context evolves.

The broader implication for enterprises is the emergence of GovOps, an operating model that aligns identity, accountability, and risk management across AI delegations. By treating identity as the anchor for audit trails and tying policy violations to automated remediation, firms can achieve measurable compliance while still reaping the efficiency gains of AI agents. As AI integration deepens, adopting GovOps and Cedar‑based policies will become a competitive differentiator, ensuring that the promise of MCP does not become a liability in the evolving threat landscape.